Re: Help with Security Filtering
- From: mschlank <mschlank@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 23 Jun 2007 17:46:00 -0700
Herb, Thanks.
Can you clarify a few things?
1. What is the difference btn Everyone and Authenticated users?
2. Which Access list am I looking at to see if they are included? Are you
referring to the Properties, Security Tab for the GPO itself. I looked there
a few times, and neither is listed...only the Securty Groups that I found in
GPMC plus Creator Owner, Domain Admins, Enterprise Admins, Enterprise Domain
Controllers, System
3. When you say both READ and APPLY_Policy need to apply, are you referring
to the same location I just mentioned in #2.
4. Is there a way to see the ACL in the GPO that they are being applied to
the computers, besides just noticing the changes live.
5. When you make a setting change in Group Policy, how long is reasonable
amount of time to wait for propogation to occur for user vs computer setting
changes.
YES. This is extremely frustrating. Not sure whey they didn't just use OU. I
hate to have to redo all their work now. When I spoke to them, I get the
run-around.
Thanks.
"Herb Martin" wrote:
.
"mschlank" <mschlank@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DEAB416C-D6DF-4AB0-9ECA-C86D614A6031@xxxxxxxxxxxxxxxx
I am a new IT Director at an office with Windows 2003, Active Directory
with
only 40 users. Before I arrived, the consultants that installed the
server
setup "one" main Group Policy (GPO) applied to the main Domain. They
disabled
the "Default Domain" GPO,
Generally a POOR practice.
and created a new Group Policy, which is supposed
to apply to all users and computers. All computers are in an OU. All
users
are in 9 different Security Groups under one main OU. I noticed under
the
Group Policy Management Console, under that GPO, it has a "Security
Filtering" tab with 7 of the Security Groups listed, and NO computers.
What groups? If something like Everyone or Authenticated Users in included
in the access list then everyone (and every computer) is covered.
I don't think the computers are getting the GPO.
Then likely no entry appears for a group that includes them -- as you have
guessed.
If Security Filtering is being used, does that mean that only those users
(in Security Groups) and computers listed in the this "Security Filtering"
are getting the GPO applied. If not computers are listed in the Security
Filtering tab, does that mean they are not getting the GPO.
Yes.
Both READ and APPLY_POLICY are needed for the GPO to apply.
Generally filtering by Permissions is also DISCOURAGE unless it is
necessary.
Try to avoid using it.
I have no faith that your consultants had a clue -- although it is
theoretically
possible they were doing the right thing it is unlikely.
They disabled the Default Policies, added a GPO (perfectly normal), and
then Filtered it, rather than linking the custom policy where they needed it
(OUs etc).
Normally one would leave the Default, add the Custom GPO to certain
OUs and let it override the Default as necessary.
If I take the Security Groups out of the "Security Filtering", would the
GPO
apply to all users and computers.
Make sure you leave READ and APPLY policy for Everyone or Authenticated
Users (although I cannot recall how the GPMC displays this unless it is like
all
the other permission lists in AD.)
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
- Follow-Ups:
- Re: Help with Security Filtering
- From: Herb Martin
- Re: Help with Security Filtering
- References:
- Re: Help with Security Filtering
- From: Herb Martin
- Re: Help with Security Filtering
- Prev by Date: Re: Help with Security Filtering
- Next by Date: Re: ADFS logout problem continued
- Previous by thread: Re: Help with Security Filtering
- Next by thread: Re: Help with Security Filtering
- Index(es):
Relevant Pages
|
